Protecting Medical Devices against Cyberthreats

Over the past year, several events have given legs to the growing body of concern over the potential for medical devices to be compromised by hackers. Security tests of various devices by expert hackers and security laboratories have shown that a range of devices, from implantable insulin pumps to defibrillators, pacemakers, and other medical electronics, are vulnerable to hacking. The potential for such hacking to compromise a medical device recently became reality by the spread of a malware virus, “WannaCry” ransomware, that was able to compromise a variety of medical equipment such as imaging systems and dye injectors (Wired. Published March 2, 2017.).

Explore this issue:

What has emerged is the need to protect medical devices against a two-fold cyberthreat. First is the need to protect individual patients from the potential for harm if the device itself is compromised, such as a hack into an insulin pump that resets the device to administer a fatal dose of insulin to the patient. Second, systems must be protected against being hacked through the portal of a medical device, an easy entry point to a hospital network that could lead to stealing medical records.

To that end, a number of government and non-government agencies are working together to address these risks and ultimately protect patients while securing their privacy.

Risk to Otolaryngologic Devices

Although no known vulnerability risk has been detected in medical devices used in otolaryngology, such as cochlear implants and hearing aids, the potential exists for such vulnerability.

“Any medical device that can be connected through wired or wireless means to an external device, typically for the purpose of changing control settings, can conceivably be hacked,” said Stephen L. Grimes, managing partner at medical technology consulting firm Strategic Healthcare Technology Associates, based in Swampscott, Mass. “The external device might be a controller, a computer, a thumb drive, or other remote storage device,” he added.

To date, however, no specific cybersecurity concerns have been reported for devices used by otolaryngologists, and concern over this issue is not yet widespread among the specialty, according to Kenneth H. Lee, MD, PhD, chair of the American Academy of Otolaryngology Head & Neck Surgery (AAO-HNS) Medical Devices and Drugs Committee.

He believes that the security risk to current technologies used for cochlear implants and hearing aids, such as the use of Bluetooth streaming from smart phones to adjust settings, is limited. “I don’t think there is significant concern about individuals desiring to randomly access settings of a patient’s implant or hearing aid,” he said.